Commit Message

Here, the automated regression testing to nftables and some test files.
This is a python script to check the command-line in nft.
This script checks the input of rules of nft-tool from the command-line
and the output of them to the command-line. A bit more details here
below.
A) What is it checking?
This script tests two different paths:
1) The input of rules of nft-tool from the command-line. It checks the
different steps from the command-line to the kernel: parse step,
evaluate step, compile step, the generate of netlink message and after
this is sent into the kernel.
2) The output that is obtained from the kernel. It checks the different
steps from the kernel to the command-line: getting the netlink message,
the parse step, the postproces step, the textify step and the listing
the rule in the command-line.
As a last step, It compares the rule is added and rule is listed by nft.
B) What options are available?
The script offers the following options:
1) Execute all set of test files (or one test file):
./nft-test.sh => Run all test files
./nft-test.sh path/file.t => Run this test file
So, It tests the input of rules of nft-tool from the command-line and
then, It checks if the rule is added correctly.
If there is a problem, It lists the differences between the rule is
added and the rule is listed by nft.
(If there are more than one family of table indicated in the test file
and there is an error or a warning in this execution of the rule, the
execution of this rule stop and it does not run in the others families
of the tables).
2) List all rules are added in nft-tool while this script is run. (It
is similar a debug mode of this test.)
./nft-test.sh -d
./nft-test.sh -d path/file.t
3) Run marked-line. This mode runs the lines that starts with a "-"
symbol (these rules only).
./nft-test.sh -r
./nft-test.sh -r path/file.t
4) Run a rule in all families of table. Run all rules in all families
of the tables defined in the test file. (although there were an error
or a warning in a previous families.)
./nft-test.sh -a
./nft-test.sh -a path/file.t
C) What is the structure of the test file?
A test file contains a set of rules that are added in the system.
Here, an example of a test file:
*ip;test-ipv4 # line 1
*ip6;test-ipv6 # line 2
*inet;test-inet # line 3
:input;type filter hook input priority 0 # line 4
ah hdrlength != 11-23;ok;ah hdrlength < 11 ah hdrlength > 23 # line 5
- tcp dport != {22-25} # line 6
!set1 ipv4_addr;ok # line 7
?set1 192.168.3.8 192.168.3.9;ok # line 8
# This is a commented-line. # line 9
1) Tables:
# Line 1: it defines a table where chains and rules are added.
It defines a table. the name of the table is test-ip and the family is
ip.
In line 2 and 3, It define more tables of different families (ip6 and
inet). It's possible to add different type of tables.
2) Chains:
# Line 4: It defines the chain/s (and the type, hook and priority of
this chain) where rules are added. The name of this chain is "input".
The type is "filter", the hook is "input" and the priority is 0.
3) Rules:
line: 4: This line is divided by a ";" character.
Part 1: "ah hdrlength != 11-23" is the rule to check.
Part 2: "ok" is the result expected with the execute of this rule.
(This rule is added without errors.)
Part 3: "ah hdrlength < 11 ah hdrlength > 23". This is the look of
the rule if it is run in the command-line. If the look of the output
rule is the same that the rule in the input, this part is omit.
4) Marked-line:
Line 6: This is a marked-line. It means this rule is not run in a
general execution of this script.
If if want to execute this line, It's necessary run this script with
"-r" option.
It's useful to mark a known bugs or lines that don't want to execute.
5) Named set:
Line 7: It adds a new set. The name of this set is "set1" and the type
of this set is "ipv4_add"
Line 8: It adds two element into the set1 set: "192.168.3.8" and
"192.168.3.9" A whitespace divide the diferent elements of the set.
The Anonymous sets is added as a normal rule. It doesn't an especial
handling.
6) Comments:
Line 9: "#" symbol means that line is a comment about the test.
D) The test folders
The test files are divide in directory: ip, ip6, inet, arp, bridge
and any folders:
* "ip" folder: Here are the test files are executed in ip and inet
table.
* "ip" folder: Here are the test files are executed in ip6 and inet
table.
* "inet" folder: Here are the test files are executed in ip, ip6 and
inet table.
* "arp" folder: Here are the test files are executed in arp tables.
"bridge" folder: Here are the test files are executed in bridge
table.
* "any" folder: Here are the test files are executed in ip, ip6, inet,
arp and bridge tables.
Moreover, It adds the "ip4" folder with expecific test files for ip and
inet tables.
Signed-off-by: Ana Rey <anarey@gmail.com>
---
tests/ip/chains.t | 22 ++
tests/ip/icmp.t | 98 +++++++
tests/ip/ip.t | 108 +++++++
tests/ip/nat.t | 18 ++
tests/ip/reject.t | 5 +
tests/ip/sets.t | 31 ++
tests/nft-test.py | 842 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
7 files changed, 1124 insertions(+)
create mode 100644 tests/ip/chains.t
create mode 100644 tests/ip/icmp.t
create mode 100644 tests/ip/ip.t
create mode 100644 tests/ip/nat.t
create mode 100644 tests/ip/reject.t
create mode 100644 tests/ip/sets.t
create mode 100755 tests/nft-test.py